Microsoft 365

Microsoft 365 Security Hardening Guide for Business

Microsoft 365 default settings are designed for convenience, not security. Here's what to change to actually protect your business.

Default M365 Security Gaps

Out of the box, Microsoft 365 leaves these security gaps:

MFA is not enforced by default for all users
Legacy authentication protocols are enabled (allow password-only access)
External sharing in SharePoint and OneDrive is open by default
Audit logging is not enabled in all plans
Email forwarding to external addresses is allowed
Admin accounts have no additional protections

1. Enforce Multi-Factor Authentication (MFA)

MFA blocks 99.9% of account compromise attacks. This is the single most impactful security change you can make.

How to enable:

1. Go to Microsoft Entra admin center (entra.microsoft.com)
2. Navigate to Protection > Conditional Access
3. Create a policy requiring MFA for all users, all cloud apps
4. Exclude emergency break-glass accounts (but protect them differently)

Recommended: Use phishing-resistant MFA (FIDO2 security keys or Microsoft Authenticator with number matching) instead of SMS codes. SMS can be intercepted via SIM swapping.

2. Configure Conditional Access Policies

Block legacy authentication

Disable protocols like POP3, IMAP, and SMTP auth that bypass MFA. These are the most exploited entry points.

Require compliant devices

Only allow access from devices that meet your security requirements (updated OS, antivirus, encryption).

Block risky sign-ins

Use Azure AD Identity Protection to automatically block sign-ins from suspicious locations or compromised credentials.

Restrict admin access

Require MFA + compliant device + specific IP range for all admin portal access.

3. Harden Email Security

Anti-phishing policies

Enable impersonation protection in Microsoft Defender for Office 365. Add your executives and key partners to the protected users list.

Safe Links

Enable URL rewriting to scan links at time of click, not just at delivery. Attackers commonly weaponize links after the email is delivered.

Safe Attachments

Enable dynamic delivery or block mode for attachments. This detonates suspicious attachments in a sandbox before delivering them.

Disable auto-forwarding

Block automatic email forwarding to external domains. Attackers set up forwarding rules to exfiltrate data after compromising an account.

SPF, DKIM, DMARC

Configure all three email authentication protocols. Microsoft 365 supports DKIM signing natively through the Defender portal.

4. Secure SharePoint and OneDrive

Restrict external sharing to specific approved domains or disable it entirely
Set sharing links to expire automatically (7-30 days)
Disable anonymous 'Anyone with the link' sharing
Enable sensitivity labels to classify and protect documents
Block download on unmanaged devices (allow view only)
Review sharing permissions quarterly

5. Enable Audit Logging

Audit logs are essential for incident investigation. Without them, you cannot determine what happened during a breach.

Enable unified audit logging in the Microsoft Purview compliance portal
Set log retention to the maximum your license allows (90 days for E3, 1 year for E5)
Monitor for suspicious activities: mass file downloads, mailbox rule changes, admin role assignments
Consider exporting logs to a SIEM for longer retention and correlation

6. Manage Admin Roles

Minimize Global Admins: no more than 2-4 accounts should have Global Admin
Use role-based admin roles (Exchange Admin, SharePoint Admin) instead of Global Admin
Create dedicated admin accounts separate from daily-use accounts
Enable Privileged Identity Management (PIM) for just-in-time admin access
Create 2 break-glass emergency accounts with Global Admin (no MFA, complex passwords, monitored)

Quick Hardening Checklist

Enforce MFA for all users

Block legacy authentication

Enable Safe Links and Safe Attachments

Configure anti-phishing policies

Disable external email auto-forwarding

Set up SPF, DKIM, and DMARC

Restrict SharePoint external sharing

Enable audit logging

Minimize Global Admin accounts

Review permissions quarterly

Need Help Securing Microsoft 365?

We configure and manage Microsoft 365 security for businesses. From initial hardening to ongoing monitoring, we make sure your M365 environment is locked down.

Email Security

Get Security Insights Delivered

One email per month with our best articles. No spam.

Default M365 Security Gaps

Out of the box, Microsoft 365 leaves these security gaps:

MFA is not enforced by default for all users
Legacy authentication protocols are enabled (allow password-only access)
External sharing in SharePoint and OneDrive is open by default
Audit logging is not enabled in all plans
Email forwarding to external addresses is allowed
Admin accounts have no additional protections

1. Enforce Multi-Factor Authentication (MFA)

MFA blocks 99.9% of account compromise attacks. This is the single most impactful security change you can make.

How to enable:

1. Go to Microsoft Entra admin center (entra.microsoft.com)
2. Navigate to Protection > Conditional Access
3. Create a policy requiring MFA for all users, all cloud apps
4. Exclude emergency break-glass accounts (but protect them differently)

Recommended: Use phishing-resistant MFA (FIDO2 security keys or Microsoft Authenticator with number matching) instead of SMS codes. SMS can be intercepted via SIM swapping.

2. Configure Conditional Access Policies

Block legacy authentication

Disable protocols like POP3, IMAP, and SMTP auth that bypass MFA. These are the most exploited entry points.

Require compliant devices

Only allow access from devices that meet your security requirements (updated OS, antivirus, encryption).

Block risky sign-ins

Use Azure AD Identity Protection to automatically block sign-ins from suspicious locations or compromised credentials.

Restrict admin access

Require MFA + compliant device + specific IP range for all admin portal access.

3. Harden Email Security

Anti-phishing policies

Enable impersonation protection in Microsoft Defender for Office 365. Add your executives and key partners to the protected users list.

Safe Links

Enable URL rewriting to scan links at time of click, not just at delivery. Attackers commonly weaponize links after the email is delivered.

Safe Attachments

Enable dynamic delivery or block mode for attachments. This detonates suspicious attachments in a sandbox before delivering them.

Disable auto-forwarding

Block automatic email forwarding to external domains. Attackers set up forwarding rules to exfiltrate data after compromising an account.

SPF, DKIM, DMARC

Configure all three email authentication protocols. Microsoft 365 supports DKIM signing natively through the Defender portal.

4. Secure SharePoint and OneDrive

Restrict external sharing to specific approved domains or disable it entirely
Set sharing links to expire automatically (7-30 days)
Disable anonymous 'Anyone with the link' sharing
Enable sensitivity labels to classify and protect documents
Block download on unmanaged devices (allow view only)
Review sharing permissions quarterly

5. Enable Audit Logging

Audit logs are essential for incident investigation. Without them, you cannot determine what happened during a breach.

Enable unified audit logging in the Microsoft Purview compliance portal
Set log retention to the maximum your license allows (90 days for E3, 1 year for E5)
Monitor for suspicious activities: mass file downloads, mailbox rule changes, admin role assignments
Consider exporting logs to a SIEM for longer retention and correlation

6. Manage Admin Roles

Minimize Global Admins: no more than 2-4 accounts should have Global Admin
Use role-based admin roles (Exchange Admin, SharePoint Admin) instead of Global Admin
Create dedicated admin accounts separate from daily-use accounts
Enable Privileged Identity Management (PIM) for just-in-time admin access
Create 2 break-glass emergency accounts with Global Admin (no MFA, complex passwords, monitored)

Quick Hardening Checklist

Enforce MFA for all users

Block legacy authentication

Enable Safe Links and Safe Attachments

Configure anti-phishing policies

Disable external email auto-forwarding

Set up SPF, DKIM, and DMARC

Restrict SharePoint external sharing

Enable audit logging

Minimize Global Admin accounts

Review permissions quarterly

Microsoft 365 Security Hardening Guide for Business

Default M365 Security Gaps

1. Enforce Multi-Factor Authentication (MFA)

How to enable:

2. Configure Conditional Access Policies

Block legacy authentication

Require compliant devices

Block risky sign-ins

Restrict admin access

3. Harden Email Security

Anti-phishing policies

Safe Links

Safe Attachments

Disable auto-forwarding

SPF, DKIM, DMARC

4. Secure SharePoint and OneDrive

5. Enable Audit Logging

6. Manage Admin Roles

Quick Hardening Checklist

Need Help Securing Microsoft 365?

Related Articles

How to Set Up DMARC for Microsoft 365 (Step-by-Step Guide)

How to Migrate Your Business Email Without Losing Data

How to Check If Your Email Is Secure: Free Email Security Assessment

Get Security Insights Delivered

Microsoft 365 Security Hardening Guide for Business

Default M365 Security Gaps

1. Enforce Multi-Factor Authentication (MFA)

How to enable:

2. Configure Conditional Access Policies

Block legacy authentication

Require compliant devices

Block risky sign-ins

Restrict admin access

3. Harden Email Security

Anti-phishing policies

Safe Links

Safe Attachments

Disable auto-forwarding

SPF, DKIM, DMARC

4. Secure SharePoint and OneDrive

5. Enable Audit Logging

6. Manage Admin Roles

Quick Hardening Checklist

Need Help Securing Microsoft 365?

Related Articles

How to Set Up DMARC for Microsoft 365 (Step-by-Step Guide)

How to Migrate Your Business Email Without Losing Data

How to Check If Your Email Is Secure: Free Email Security Assessment

Get Security Insights Delivered